Jump to content
Sign in to follow this  
quagmire1973

Hide application's startup

Recommended Posts

quagmire1973

Hey folks. Ok, so I have finally completed my new script which is used for killing various applications that are found running on a machine. It is working beautifully as we are now running this app off the network. Here's my issue though.

I want to be able to have this application run on startup on a local machine. Right now, users are executing the compiled script file from a login script. That's fine if they are logging into the network, but if it is a local computer, they don't get a script.

Now, before anyone says so, I don't want to use Run in the registry because the people we are trying to hide this script from are pretty adept. I want to be able to place the executable on their local machine, and then whenever a user logs on, it forces the application to launch.

I am working in the education field and the application is being loaded onto student's PC's. Our regular students always logon to the network, but IT students build their own domains and such so we want to restrict it based on the local machine for those students.

Other than using the Startup folder, or the Run entry in the registry, where else can I hide a startup file? I thought of creating the EXE as a system service but am not sure how to do that either.

Any suggestions would be appreciated. Thanks

Share this post


Link to post
Share on other sites
AutoChris

If these guys have admin rights to their computers (they are able to modify the registry, so I am assuming they have hightened security privileges), then not only can they erase the registry entry under HKLM\...\Run but they can stop and disable services as well.

I think a good way to do it is to put it in the registry but put it in lesser-known locations like HKCU\...\Run or HKU\...\Run instead of HKLM\...\Run where most of the startup programs are located.

As RocTx suggested, I also use srvany to run AutoIt scripts as a service.

I also have some people in the company with Admin rights who do not like having VNC Server running on their computer. So sometimes you have to get sneaky and rename the service or put it in StartUp but rename it "Microsoft Office" or something (be sure to change the icon if you do this).

Good luck. I hope you find something that works.

Share this post


Link to post
Share on other sites
quagmire1973

If these guys have admin rights to their computers (they are able to modify the registry, so I am assuming they have hightened security privileges), then not only can they erase the registry entry under HKLM\...\Run but they can stop and disable services as well.

I think a good way to do it is to put it in the registry but put it in lesser-known locations like HKCU\...\Run or HKU\...\Run instead of HKLM\...\Run where most of the startup programs are located.

As RocTx suggested, I also use srvany to run AutoIt scripts as a service.

I also have some people in the company with Admin rights who do not like having VNC Server running on their computer. So sometimes you have to get sneaky and rename the service or put it in StartUp but rename it "Microsoft Office" or something (be sure to change the icon if you do this).

Good luck. I hope you find something that works.

<{POST_SNAPBACK}>

See with these guys, the only thing I can think of really is to rename the file SVCHOST.EXE and have it run in the registry. Because SVCHOST is a normal system process, it will look normal in there. PLus, the program itself kills windows that it knows so I could include regedit, regedt32, and task manager in its data file. I just wish there was some other way to do this because I'd like to keep it hidden.

Share this post


Link to post
Share on other sites
Sokko

If you can kill the regedit and task manager windows, you don't need to disguise the program as anything else. There's no need to hide it if it works well enough that there's no way to get rid of it. I have doubts on whether killing the task manager window is actually possible, though.

Share this post


Link to post
Share on other sites
AutoChris

If you can kill the regedit and task manager windows, you don't need to disguise the program as anything else. There's no need to hide it if it works well enough that there's no way to get rid of it. I have doubts on whether killing the task manager window is actually possible, though.

<{POST_SNAPBACK}>

It is definitely possible to kill the Task Manager window, although I do not completely agree with that as a solution:

Start-> Run... -> "gpedit.msc" -> User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Delete -> Remove Task Manager

Or in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Key: DisableTaskMgr

Value: 1 (Disable Task Manager)

You can also just rename taskmgr.exe to something else so it will not appear.

Share this post


Link to post
Share on other sites
therks

See with these guys, the only thing I can think of really is to rename the file SVCHOST.EXE and have it run in the registry.

<{POST_SNAPBACK}>

Why not rename it to SVCHOST, then using one of the options that RocTx provided, have it start as a system service. Although personally I could still get rid of it quite easily (there's a program called Process Mate which is like the Task Manager, only it tells you the location of the .exe as well).

Share this post


Link to post
Share on other sites
jftuga
quagmire1973

Why not rename it to SVCHOST, then using one of the options that RocTx provided, have it start as a system service. Although personally I could still get rid of it quite easily (there's a program called Process Mate which is like the Task Manager, only it tells you the location of the .exe as well).

<{POST_SNAPBACK}>

See that's the problem I have as well. If the program identifies Task Manager, it kills Task Manager. Not a problem. But 3rd party apps will detect it so I need to find a way to hide the app from process listers.

I also thought that I might be able to have the program delete it's own entry in the registry upon startup, and when the program exits, it recreates the key. So as long as the app is active, you can't see it in ANY kind of registry editor, regardless of the brand.

Doesn't solve the issue of hiding it as a system process though. I think the SVCHOST.EXE is probably my best bet.

Share this post


Link to post
Share on other sites
Gigglestick

See that's the problem I have as well. If the program identifies Task Manager, it kills Task Manager. Not a problem. But 3rd party apps will detect it so I need to find a way to hide the app from process listers.

Search the Web for these types of utilities, and use the ones mentioned above and add them to the list of processes to be killed. Possibly any task with "task" in the process name also? Maybe overkill. It would be nice if you could "hook" into Windows and intercept calls to get process lists, and either return an empty list to the calling app, or kill that app.

I also thought that I might be able to have the program delete it's own entry in the registry upon startup, and when the program exits, it recreates the key. So as long as the app is active, you can't see it in ANY kind of registry editor, regardless of the brand.

Check out OnAutoItStart and OnAutoItExit functions in the beta and do your RegDelete's and RegWrite's there.

My UDFs: ExitCodes

Share this post


Link to post
Share on other sites
Gigglestick

Start-> Run... -> "gpedit.msc" -> User Configuration -> Administrative Templates -> System -> Ctrl+Alt+Delete -> Remove Task Manager

Or in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Key: DisableTaskMgr

Value: 1 (Disable Task Manager)

Domain policies can override these settings.

My UDFs: ExitCodes

Share this post


Link to post
Share on other sites
Gigglestick

Oh, I just thought of something to try.

I remember having to go to extraordinary lengths to kill a virus on my Dad's computer that ran two processes. Each process watched for the other one and started it if it wasn't running. It was impossible to kill both with any task killing utility I could find, including Task Manager. Ultimately, booting in Safe Mode and cleaning it up is easy to do, but it's also a hassle.

Anyway, have the process check to see if it is already running, and if not, it starts another instance of itself. Both constantly check to make sure that there are two of itself running, and it starts itself again if it doesn't find two.

Also, if you go with the SVCHOST.EXE idea, you might want to make sure it uses about the same amount of memory that something running in the real SVCHOST.EXE process uses, as well as keeping the CPU usage about the same so as not to "float" to the top or bottom of a process list if they find a way to get around your process killer and get a list of processes.


My UDFs: ExitCodes

Share this post


Link to post
Share on other sites
Nova

Try this, name your exe winlogon.exe, excute it and then try to kill it using taskmgr, ull get a msg saying its a vital system process and u cannot kill it.

It can still be removed by the safe mode method mentioned above.

Only ever tryed this on winxp pro.

Share this post


Link to post
Share on other sites
SmOke_N

Don't let Dev / Null see this post :whistle:


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites
JSThePatriot

Don't let Dev / Null see this post :whistle:

<{POST_SNAPBACK}>

lol, I would have to say though he is a pretty good AV.. :dance:

I appreciate the watchfulness he exerts, and the research he does.

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites
SmOke_N

No kidding... but I saw this post yesterday... and was surprised to see so many answers today to it... let alone our WARNING!!! Label wasn't on it yet :whistle:


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites
quagmire1973

Why would one need such a program?

<{POST_SNAPBACK}>

Don't be so paranoid :whistle:

Its an app that is used to kill application that are not "authorized" in an educational environment.

Share this post


Link to post
Share on other sites
JSThePatriot

Don't be so paranoid :whistle:

Its an app that is used to kill application that are not "authorized" in an educational environment.

<{POST_SNAPBACK}>

If you take a look at alot of the recent posts on this forum, then you will see why we are paranoid, and that we have good reason to be. AutoIt has several times been quarantined by AV vendors due to one person's stupidity in making a script that harmed a system. We dont want AutoIt used in a wrongful manner if possible to avoid.

JS


AutoIt Links

File-String Hash Plugin Updated! 04-02-2008 Plugins have been discontinued. I just found out.

ComputerGetInfo UDF's Updated! 11-23-2006

External Links

Vortex Revolutions Engineer / Inventor (Web, Desktop, and Mobile Applications, Hardware Gizmos, Consulting, and more)

Share this post


Link to post
Share on other sites
SmOke_N

If you noticed... Sim / infernosomething / blah or whoever he's calling himself these days... has a post on the board from today ... using exactly what you have asked (changing the executible name to svchost). Now if you look at his former post... he would of never had thought of that on his own, or even known to look for it.

Post Specific, like these are better kept in private via Personal Messenger even if they are purley for educational uses IMO.

Now working in the education field... I'm sure you can understand that...

I'd be willing to bet that 98% of the user base would be a bit peeved if they suddenly started getting complaints that their programs were black balled because of something silly that could of been overcome with a bit of common sense/courtesy.

I'm not doubting your intentions... just playing the "Cautious Child".


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×